CVE-2004-0067

phpGedView < 2.65 - Cross-Site Scripting via Multiple Scripts

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 14 public exploits for CVE-2004-0067. PoCs published by JeiAr.

AI-analyzed exploit summary The provided text describes a cross-site scripting (XSS) vulnerability in PhpGedView due to improper sanitization of user-supplied URI input. An attacker could craft a malicious URI to execute arbitrary script code in the context of the victim's browser.

Description

Multiple cross-site scripting (XSS) vulnerabilities in phpGedView before 2.65 allow remote attackers to inject arbitrary HTML or web script via (1) descendancy.php, (2) index.php, (3) individual.php, (4) login.php, (5) relationship.php, (6) source.php, (7) imageview.php, (8) calendar.php, (9) gedrecord.php, (10) login.php, and (11) gdbi_interface.php. NOTE: some aspects of vector 10 were later reported to affect 4.1.

Exploits (14)

exploitdb WRITEUP VERIFIED
by JeiAr · textwebappsphp
https://www.exploit-db.com/exploits/24810

The provided text describes a cross-site scripting (XSS) vulnerability in PhpGedView due to improper sanitization of user-supplied URI input. An attacker could craft a malicious URI to execute arbitrary script code in the context of the victim's browser.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: PhpGedView (version not specified)
No auth needed
Prerequisites: Victim must follow a malicious link
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by JeiAr · textwebappsphp
https://www.exploit-db.com/exploits/24837

The provided text describes a SQL injection vulnerability in PhpGedView 2.65beta5 and earlier, where the 'pids' parameter in timeline.php is not properly sanitized. It includes a sample URL demonstrating the injection point but lacks executable exploit code.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Theoretical
Target: PhpGedView <= 2.65beta5
No auth needed
Prerequisites: Access to the timeline.php endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by JeiAr · textwebappsphp
https://www.exploit-db.com/exploits/24819

The provided text describes a cross-site scripting (XSS) vulnerability in PhpGedView due to improper sanitization of user-supplied URI input. An attacker could craft a malicious URI to execute arbitrary script code in the context of the victim's browser.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: PhpGedView (version not specified)
No auth needed
Prerequisites: Victim must follow a malicious link
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by JeiAr · textwebappsphp
https://www.exploit-db.com/exploits/24832

The exploit demonstrates a cross-site scripting (XSS) vulnerability in PhpGedView by injecting malicious HTML and script code via the 'path_to_find', 'pid1', and 'pid2' URI parameters. The vulnerability arises due to insufficient input sanitization, allowing arbitrary script execution in the context of the affected site.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: PhpGedView (version not specified)
No auth needed
Prerequisites: Victim must follow a malicious URI link
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by JeiAr · textwebappsphp
https://www.exploit-db.com/exploits/24835

The provided text describes a SQL injection vulnerability in PhpGedView, detailing how unsanitized user input in the 'level' and 'parent' parameters can manipulate SQL queries. It includes example URLs demonstrating the exploit but lacks actual exploit code.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Theoretical
Target: PhpGedView 2.65beta5 and earlier
No auth needed
Prerequisites: Access to the vulnerable PhpGedView instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by JeiAr · textwebappsphp
https://www.exploit-db.com/exploits/24830

The provided text describes a cross-site scripting (XSS) vulnerability in PhpGedView due to improper sanitization of user-supplied URI input. The example URI demonstrates how an attacker could inject malicious HTML and script code.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: PhpGedView (version not specified)
No auth needed
Prerequisites: Victim must follow a malicious URI link
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by JeiAr · textwebappsphp
https://www.exploit-db.com/exploits/24829

The provided text describes a cross-site scripting (XSS) vulnerability in PhpGedView due to improper sanitization of user-supplied URI input. The example URI demonstrates how an attacker could inject malicious HTML and script code.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Theoretical
Target: PhpGedView (version not specified)
No auth needed
Prerequisites: Victim must follow a malicious URI link
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by JeiAr · textwebappsphp
https://www.exploit-db.com/exploits/24831

The provided text describes a cross-site scripting (XSS) vulnerability in PhpGedView due to improper sanitization of user-supplied URI input. An attacker could craft a malicious URI to execute arbitrary script code in the context of the victim's browser.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: PhpGedView (version not specified)
No auth needed
Prerequisites: Victim must follow a malicious link
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by JeiAr · textwebappsphp
https://www.exploit-db.com/exploits/24816

This exploit demonstrates a cross-site scripting (XSS) vulnerability in PhpGedView due to improper sanitization of user-supplied URI input. An attacker can craft a malicious URI to execute arbitrary JavaScript in the context of the victim's browser session.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: PhpGedView (version not specified)
No auth needed
Prerequisites: Victim must follow a crafted malicious link
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by JeiAr · textwebappsphp
https://www.exploit-db.com/exploits/24814

The provided text describes a cross-site scripting (XSS) vulnerability in PhpGedView due to improper sanitization of user-supplied URI input. The example URI demonstrates how an attacker could inject hostile HTML and script code.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Theoretical
Target: PhpGedView
No auth needed
Prerequisites: A victim user must follow a malicious URI link
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by JeiAr · textwebappsphp
https://www.exploit-db.com/exploits/24820

The provided text describes a cross-site scripting (XSS) vulnerability in PhpGedView due to improper sanitization of user-supplied URI input. An attacker could craft a malicious URI to execute arbitrary script code in the context of the victim's browser.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Theoretical
Target: PhpGedView (version not specified)
No auth needed
Prerequisites: Victim must follow a malicious URI link
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by JeiAr · textwebappsphp
https://www.exploit-db.com/exploits/24821

The provided text describes a cross-site scripting (XSS) vulnerability in PhpGedView due to improper sanitization of user-supplied URI input. It includes an example URI demonstrating the vulnerability but lacks executable exploit code.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Theoretical
Target: PhpGedView (version not specified)
No auth needed
Prerequisites: Victim must follow a malicious URI link
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by JeiAr · textwebappsphp
https://www.exploit-db.com/exploits/24822

The provided text describes a cross-site scripting (XSS) vulnerability in PhpGedView due to improper sanitization of user-supplied URI input. An attacker could craft a malicious URI to execute arbitrary script code in the context of the victim's browser session.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: PhpGedView (version not specified)
No auth needed
Prerequisites: Victim must follow a malicious URI link
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by JeiAr · textwebappsphp
https://www.exploit-db.com/exploits/24834

This exploit demonstrates a cross-site scripting (XSS) vulnerability in PhpGedView due to improper sanitization of user-supplied URI input. The provided URLs show how an attacker can inject malicious HTML and script code via the 'day', 'month', and 'year' parameters.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: PhpGedView (version not specified)
No auth needed
Prerequisites: Victim must follow a malicious link
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (26)

Core 26
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/36285
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/11891
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/3473
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/26628
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/3478
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/14212
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/11904
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/2995
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/11903
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1018613
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/11888
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/3476
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/11905
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/3475
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/3477
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/11907
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/3479
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/11882
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/11906
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/11880
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/3474
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/11890
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/11894
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=107394912715478&w=2
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/11868
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/477881/100/0/threaded

Scores

EPSS 0.0315
EPSS Percentile 86.3%

Details

CWE
CWE-79
Status published
Products (1)
phpgedview/phpgedview < 2.65
Published Feb 17, 2004
Tracked Since Feb 18, 2026